/    Sign up×
Community /Pin to ProfileBookmark

How to catch an error when adding data to a MySQL database

Copy linkTweet thisAlerts:
Mar 06.2009

Hi,

I have added a little area on my site where users can add comments. The comments get sent to the db and are displayed on the page. This is done by a simple form that links to a php page with this code:

<?
include(‘../../functions.php’);

$name=$_POST[‘name’];
$company =$_POST[‘company’];
$email=$_POST[’email’];
$comment=$_POST[‘comment’];
$optin=$_POST[‘optin’];

// Connect to the MySQL DB server.
// calls function from functions.php to connect to the database.
connectToDB();

// Assign the SQL statement to the variable $query.
$query = “INSERT INTO forum_comments VALUES (”,’$name’,’$company’,’$email’, ‘$comment’, CURDATE(), ‘$optin’, ‘1’)”;

//Execute the query on the database.
mysql_query($query);

//Close the connection with the DB.
mysql_close();

header(‘Location: ../../forum.php’);
?>

For some reason, about every one time in ten, the data doesn’t get added to the db. I can’t understand why as it seems to be an intermittent fault.

Can anyone give any advice on why this may be happening?

Is there a way to make the code wait for a confirmation from the db, before redirecting back to the comment page?

Thanks in advance.

to post a comment
PHP

5 Comments(s)

Copy linkTweet thisAlerts:
@NogDogMar 06.2009 — Probably because you are not escaping the user inputs being used in the query. If any of the values have certain special characters in them (special as far as MySQL query syntax is concerned) they can cause problems. You should be using mysql_real_escape_string() on those values before using them in your query.

As far as debugging, check the return value of mysql_query(), and if it is false, you can log debug info or whatever you want to do if it fails, using mysql_error() to get the last error message, e.g.:
[code=php]
$result = mysql_query($query);
if($result = false)
{
error_log(__FILE__ . '(' . __LINE__ . '): ' . mysql_error() . "n$query");
// display error message or redirect to generic error page.
}
[/code]
Copy linkTweet thisAlerts:
@coldscooterauthorMar 06.2009 — Thanks for your response. That is very useful. I actually just realised, just as you posted your response, that it was because of the ' and " characters, just as you stated.

I sorted it by using str_replace("'","'",string)

Thanks again for a swift response.
Copy linkTweet thisAlerts:
@NogDogMar 06.2009 — No, use mysql_real_escape_string(). That's what it's there for, and covers [i][b]all[/b][/i] special characters that you need to be escaped to avoid SQL injection problems (both incidental and malicious injections).
Copy linkTweet thisAlerts:
@coldscooterauthorMar 06.2009 — Hi thanks for the advice. I have added this to the top of my function:

$name=mysql_real_escape_string($_POST['name']);

But it comes through blank. Am i using this incorrectly? Can i only use it actually in the SQL statement?
Copy linkTweet thisAlerts:
@coldscooterauthorMar 06.2009 — Ah, it was because i was using mysql_real_escape_string() before i made the connection to the DB. Thanks for all the help. all sorted now ;-)
×

Success!

Help @coldscooter spread the word by sharing this article on Twitter...

Tweet This
Sign in
Forgot password?
Sign in with TwitchSign in with GithubCreate Account
about: ({
version: 0.1.9 BETA 6.2,
whats_new: community page,
up_next: more Davinci•003 tasks,
coming_soon: events calendar,
social: @webDeveloperHQ
});

legal: ({
terms: of use,
privacy: policy
});
changelog: (
version: 0.1.9,
notes: added community page

version: 0.1.8,
notes: added Davinci•003

version: 0.1.7,
notes: upvote answers to bounties

version: 0.1.6,
notes: article editor refresh
)...
recent_tips: (
tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @meenaratha,
tipped: article
amount: 1000 SATS,

tipper: @AriseFacilitySolutions09,
tipped: article
amount: 1000 SATS,
)...